Cryptographic Future
Upcoming SlideShare
Loading in...5
×
 

Cryptographic Future

on

  • 389 views

Day 4 (of 4) of mini-course on Engineering Cryptographic Applications held at AMC Theater Tyson's Corner for Microstrategy, Inc. ...

Day 4 (of 4) of mini-course on Engineering Cryptographic Applications held at AMC Theater Tyson's Corner for Microstrategy, Inc.

See http://www.mightbeevil.com/crypto for details
October 25, 2013

Statistics

Views

Total Views
389
Views on SlideShare
353
Embed Views
36

Actions

Likes
0
Downloads
6
Comments
0

3 Embeds 36

http://www.mightbeevil.com 30
http://mightbeevil.com 5
http://www.mightbeevil.org 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Circuit structure is small and can be reused;Each GT can be used only once.Significance: 1) allow GC to easily scale to arbitrary problem size; 2) indirectly improves time efficiency;
  • People have done this before. What’s new here is achieving performance & scalability needed for realistic problems.

Cryptographic Future Cryptographic Future Presentation Transcript

  • Engineering Cryptographic Applications Day 4: Cryptographic Future David Evans University of Virginia www.cs.virginia.edu/evans Microstrategy Course 25 October 2013
  • Story So Far Day 1: Symmetric Ciphers Plaintext Ciphertext Encrypt Decrypt Plaintext Insecure Channel Key Key Kerckhoffs’ Principle, Cryptanalysis, AES Nonce 00000000 00000001 block 1 Engineering Crypto Applications k AES k block 2 block 1 evans@virginia.edu Nonce Counter AES Day 2: Using Symmetric Encryption Generating Keys (Dual-EC PRNG) Cipher Modes (CTR) Storing Passwords block 2 1
  • E Digital Signatures KRB Signed Message H D KUB = E Message D H Message KRB KUB Certificates TLS/SSL evans@virginia.edu Plaintext Key Agreement Asymmetric Ciphers RSA, ECC Plaintext Day 3: Public Key Protocols petitions.gov Engineering Crypto Applications 2
  • Recap Day 1: Symmetric Ciphers AES Sending Secret Messages Day 2: Using Symmetric Encryption PRNG, CTR Encrypting Long Messages Day 3: Public-Key Protocols D-H, RSA, ECC Key Agreement, Signatures TLS/SSL Establishing Secure Connect Things everyone in the developed and semi-developed world is using hundreds of times a day! evans@virginia.edu Engineering Crypto Applications 3
  • Today: Glimpses Into “Future” Biometrics Secure Multi-Party Computation Automated Protocol Testing Things that are only starting to be used outside of research labs (other than biometrics). evans@virginia.edu Engineering Crypto Applications 4
  • Biometrics evans@virginia.edu Engineering Crypto Applications 5
  • Appeal of Biometrics Convenient and Easy: nothing to remember or lose Humans like to feel unique Seems cool and futuristic evans@virginia.edu Engineering Crypto Applications 6
  • “iPhone 5s introduces Touch ID, an innovative way to simply and securely unlock your iPhone with just the touch of a finger. Built into the home button, Touch ID uses a laser cut sapphire crystal, together with the capacitive touch sensor, to take a high-resolution image of your fingerprint and intelligently analyze it to provide accurate readings from any angle.” evans@virginia.edu Engineering Crypto Applications 7
  • “iPhone 5s introduces Touch ID, an innovative way to simply and securely unlock your iPhone with just the touch of a finger. Built into the home button, Touch ID uses a laser cut sapphire crystal, together with the capacitive touch sensor, to take a high-resolution image of your fingerprint and intelligently analyze it to provide accurate readings from any angle.” evans@virginia.edu Engineering Crypto Applications 8
  • evans@virginia.edu Engineering Crypto Applications 9
  • evans@virginia.edu Engineering Crypto Applications 10
  • Voiceprints? evans@virginia.edu Engineering Crypto Applications 11
  • “My Voice is My Passport” evans@virginia.edu Engineering Crypto Applications 12
  • Meaningful Security Requires Secrets Biometrics may be okay for identification “Touch ID” (not “Touch Password”) Biometrics cannot be secret (and may not even be that unique) evans@virginia.edu Engineering Crypto Applications 13
  • “Secure-Against-Your-Spouse” Security vs. vs. Breakable by sophisticated adversary in a few hours evans@virginia.edu Engineering Crypto Applications Breakable by anyone in second 14
  • “Secure-Against-Your-Spouse” Security Biometrics are fine for identification and security against weak, unmotivated vs. vs. adversaries. Danger is that they give users a false sense of security. Breakable by sophisticated adversary in a few hours evans@virginia.edu Engineering Crypto Applications Breakable by anyone in second 15
  • Private Biometrics flickr cc: didbygraham evans@virginia.edu Engineering Crypto Applications 16
  • evans@virginia.edu Engineering Crypto Applications 17
  • (De)Motivating Application: “Genetic Dating” Alice Bob Genome Compatibility Protocol Your offspring will have WARNING! good immune systems! Don’t Reproduce Your offspring will have WARNING! good immune systems! Don’t Reproduce evans@virginia.edu Engineering Crypto Applications 18
  • Link evans@virginia.edu Engineering Crypto Applications 19
  • evans@virginia.edu Engineering Crypto Applications 20
  • $100,000,000 Cost to sequence human genome Moore’s Law prediction (halve every 18 months) $10,000,000 $1,000,000 $100,000 $10,000 Engineering Crypto Applications 21 Feb 2013 Aug 2012 Feb 2012 Aug 2011 Feb 2011 Aug 2010 Feb 2010 Aug 2009 Feb 2009 Aug 2008 Feb 2008 Aug 2007 Feb 2007 Aug 2006 Feb 2006 Aug 2005 Feb 2005 Aug 2004 Feb 2004 Aug 2003 Feb 2003 Aug 2002 Aug 2001 evans@virginia.edu Feb 2002 Ion torrent Personal Genome Machine $1,000
  • Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. Radoje Drmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, Paolo Carnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker, Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, Dan Chernikoff, Alex Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage, Brian Hauser, Steve Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le, Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, Brock A. Peters, Joe Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum, Shaunak Roy, Jay Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V. Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant, William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January 2010. evans@virginia.edu Engineering Crypto Applications 22
  • Dystopia Personalized Medicine evans@virginia.edu Engineering Crypto Applications 23
  • Secure Multi-Party Computation evans@virginia.edu Engineering Crypto Applications 24
  • Secure Two-Party Computation Bob’s Genome: ACTG… Markers (~1000): *0,1, …, 0+ Alice’s Genome: ACTG… Markers (~1000): *0, 0, …, 1+ Alice Bob Can Alice and Bob compute a function on their private data, without exposing anything besides the result? evans@virginia.edu Engineering Crypto Applications 25
  • Secure Function Evaluation Alice (circuit generator) Bob (circuit evaluator) Garbled Circuit Protocol Andrew Yao, 1980s evans@virginia.edu Engineering Crypto Applications 26
  • Regular Logic Inputs Output a b x 0 0 1 0 1 0 0 0 0 1 1 1 a b AND x evans@virginia.edu Engineering Crypto Applications 27
  • Computing with Meaningless Values? Inputs Output a b x a0 a0 a1 b0 b1 b0 x0 x0 x0 a1 b1 x1 ai, bi, xi are random values, chosen by the circuit generator but meaningless to the circuit evaluator. evans@virginia.edu a0 or a1 b0 or b1 AND x0 or x Engineering Crypto1Applications 28
  • Computing with Garbled Tables Inputs Output x a0 a0 a1 b0 b1 b0 Enca0,b0(x0) Enca0,b1(x0) Enca1,b0(x0) a1 a0 or a1 b b1 Enca1,b1(x1) b0 or b1 Garbled And Gate AND x0 evans@virginia.edu or x1 Enca0, b1(x0) Enca1,b1(x1) Enca1,b0(x0) Enca0,b Applications Engineering Crypto0(x0) Bob can only decrypt one of these! a Random Permutation 29
  • Garbled Circuit Protocol Alice (circuit generator) Bob (circuit evaluator) Garbled Gate Enca0, b1(x0) Enca1,b1(x1) Enca1,b0(x0) Enca0,b0(x0) Sends ai to Bob based on her input value How does the Bob learn his own input wires? evans@virginia.edu Engineering Crypto Applications 30
  • Primitive: Oblivious Transfer Alice Bob Oblivious Transfer Protocol Oblivious: Alice doesn’t learn which secret Bob obtains Transfer: Bob learns one of Alice’s secrets Rabin, 1981; Even, Goldreich, and Lempel, 1985; many subsequent papers evans@virginia.edu Engineering Crypto Applications 31
  • Chaining Garbled Circuits And Gate 1 a0 a1 b0 AND AND Or Gate 2 b1 x1 x0 Enca10, b11(x10) Enca11,b11(x11) Enca11,b10(x10) Enca10,b10(x10) Encx00, x11(x21) Encx01,x11(x21) OR Encx01,x10(x21) Encx00,x10(x20) x2 … We can do any computation privately this way! evans@virginia.edu Engineering Crypto Applications 32
  • Building Computing Systems Encx00, x11(x21) Encx01,x11(x21) Encx01,x10(x21) Encx00,x10(x20) Digital Electronic Circuits Garbled Circuits Operate on known data Operate on encrypted wire labels One-bit logical operation requires moving a few electrons a few nanometers (hundreds of Billions per second) One-bit logical operation requires performing (up to) 4 encryption operations: very slow execution Reuse is great! Reuse is not allowed for privacy: huge circuits needed evans@virginia.edu Engineering Crypto Applications 33
  • Faster Circuit Execution Pipelined Execution Optimized Circuit Library Partial Evaluation Yan Huang (UVa PhD 2012) evans@virginia.edu Yan Huang, David Evans, Jonathan Katz, and Lior Malka. Faster Secure Two-Party Computation Using Garbled Circuits. USENIX Security 2011. Engineering Crypto Applications 34
  • Pipelined Execution Circuit Structure Circuit-Level Application GC Framework (Generator) Circuit Structure GC Framework (Evaluator) Encx00, x11(x21) Encx20, x21(x30) Encx20,(x2(x41) 1 Encx01,x1x4x3x3 )(x51) Enc 1 0,(x3 Encx21,x2x4 ,1x5 )(x61) Enc 1 0 1 01 Encx21(x2(x46 )(x71) Enc Encx01,x1x4 ,x310) x 11 0) Enc0 ,x31 ) 1 Encx21,x2x4x31,(x5 0) Enc0(x311(x6 1,x5 Encx21,x3x3 ,x60) 0) Enc0(x4 1 ) 1 Encx41,x30(x5(x7 0 Encx41,x50(x60) Encx31,x60(x71) x21 x31 x41 x51 x60 x71 Saves memory: never need to keep whole circuit in memory evans@virginia.edu Engineering Crypto Applications 35
  • Pipelining Circuit Generation Circuit Transmission Circuit Evaluation Waiting Circuit Generation Saves time: reduces latency and improves throughput Circuit Transmission Waiting evans@virginia.edu I d l i Circuit Evaluation n g Engineering Crypto Applications time 36
  • Results 1 10 Billions 0.8 8 0.6 6 0.4 4 0.2 2 0 100 000 gates/second x 10000 1.2 0 Fairplay [PSSW09] TASTY [HEKM11] Here Fairplay [PSSW09] TASTY Here [HEKM11] Scalability Performance (billions of gates) (10,000x non-free gates per second) evans@virginia.edu Engineering Crypto Applications 37
  • Passive Threat Model Ciphertext Plaintext Encrypt Decrypt Plaintext Insecure Channel Alice Bob Eve (passive attacker) evans@virginia.edu Engineering Crypto Applications 38
  • “Semi-Honest” Threat Model Circuits Generator Alice evans@virginia.edu Generate Evaluate Output Both parties follow the rules – but may try to learn more from execution transcript! Engineering Crypto Applications Bob 39
  • Active Attacker Insecure Channel (e.g., the Internet) Ciphertext Plaintext Encrypt Decrypt Alice Plaintext Bob Mallory (active attacker) evans@virginia.edu Engineering Crypto Applications 40
  • Active Threat Model Circuits Generator Generate Evaluate Output Either party do whatever they want Bob Alice evans@virginia.edu Engineering Crypto Applications 41
  • Garbled Circuits Are Half-Way! Privacy Nothing is revealed other than the output Generator Correctness The output of the protocol is indeed f(x,y) Evaluator As long as evaluator doesn’t send result back, privacy for evaluator is guaranteed. How can we get both correctness, and maintain privacy while giving both parties result? evans@virginia.edu Engineering Crypto Applications 42
  • Dual Execution Protocols Yan Huang, Jonathan Katz, and David Evans. Quid-Pro-Quo-tocols: Strengthening Semievans@virginia.edu Engineering Crypto Applications Honest Protocols with Dual Execution. IEEE Security and Privacy (Oakland) 2012. 43
  • Dual Execution Protocol Alice generator Bob first round execution (semi-honest) evaluator z=f(x, y) evaluator second round execution (semi-honest) generator z'=f(x, y) z’, learned output wire labels evans@virginia.edu fully-secure, authenticated equality test Pass if z = z’ and correct wire labels Engineering Crypto Applications z, learned output wire labels 44 [Mohassel and Franklin, PKC’06+
  • Security Properties Correctness: guaranteed by authenticated, secure equality test Privacy: Leaks one (extra) bit on average adversarial circuit generator provides a circuit that fails on ½ of inputs Malicious generator can decrease likelihood of being caught, and increase information leaked when caught (but decreases average information leaked): at extreme, circuit fails on just one input evans@virginia.edu Engineering Crypto Applications 45
  • 1-bit Leak Cheating detected evans@virginia.edu Engineering Crypto Applications 46
  • Proving Security: Malicious Show equivalence Ideal World A y' x' Trusted Party in Ideal World Adversary receives: f (x‘, y‘) Real World A B B x' y' Secure Computation Protocol Corrupted party behaves arbitrarily Standard Active Security Model: can’t prove this for Dual Execution evans@virginia.edu Engineering Crypto Applications 47
  • Proof of Security: One-Bit Leakage Ideal World A Controlled by malicious A y' Adversary receives: f (x‘, y') and g(x‘, y‘) Trusted Party in Ideal World x' B g R {0, 1} g is an arbitrary Boolean function selected by adversary Can prove equivalence to this for Dual Execution protocols evans@virginia.edu Engineering Crypto Applications 48
  • Implementation Alice generator Bob first round execution (semi-honest) Recall: work to generate is 3x work to evaluate! evaluator second round execution (semi-honest) evaluator z=f(x, y) generator z'=f(x, y) z’, learned output wire labels evans@virginia.edu fully-secure, authenticated equality test Pass if z = z’ and correct wire labels Engineering Crypto Applications z, learned output wire labels 49
  • FairPlay (2004) [10k*10k alignment] $100,000,000 Free XOR $10,000,000 $1,000,000 $100,000 HEKM $10,000 Schneider & Zhoner 2013 evans@virginia.edu Engineering Crypto Applications Apr 2013 Sep 2012 Feb 2012 Jul 2011 Dec 2010 May 2010 Oct 2009 Mar 2009 Aug 2008 Jan 2008 Jun 2007 Nov 2006 Apr 2006 Sep 2005 Feb 2005 Jul 2004 Dec 2003 May 2003 Oct 2002 Mar 2002 Aug 2001 $1,000 50
  • $100,000,000,000 Active Security $10,000,000,000 $1,000,000,000 Semi-Honest $100,000,000 KSS 2011 $10,000,000 $1,000,000 HKE 2013 $100,000 1-bit leak $10,000 evans@virginia.edu Engineering Crypto Applications Apr 2013 Sep 2012 Feb 2012 Jul 2011 Dec 2010 May 2010 Oct 2009 Mar 2009 Aug 2008 Jan 2008 Jun 2007 Nov 2006 Apr 2006 Sep 2005 Feb 2005 Jul 2004 Dec 2003 May 2003 Oct 2002 Mar 2002 Aug 2001 $1,000 51
  • Opportunities for Encrypted Computation Secure Multi-Party Computation Practical (or nearly practical) today for some applications…and improving rapidly! Verifiable Computation Outsourced Computation (e.g., AdWords auctions) (Homomorphic Encryption) These applications are 10-1Mx away from being practical…but improving very rapidly! evans@virginia.edu Engineering Crypto Applications 52
  • Yuchen Zhou (UVa Computer Engineering PhD Student) evans@virginia.edu Engineering Crypto Applications 54
  • Single Sign-On evans@virginia.edu Engineering Crypto Applications 55
  • Will developers who follow the directions end up building a secure application? The requested response type, one of code or token. Defaults to code… evans@virginia.edu Facebook documentation Engineering Crypto Applications example 56
  • Modeling SSO System Mallory Client SDK MalAppC FooAppC FooAppS Service SDK Client runtime Service runtime Identity Provider (IdP) Reason about all possible applications that can be built using the SDK evans@virginia.edu Engineering Crypto Applications 57
  • Credential Misuse Vulnerability access_token Facebook back end Welcome, Alice! Foo App Client Foo App Server evans@virginia.edu Engineering Crypto Applications 58
  • Credential Misuse Vulnerability access_token Facebook back end Welcome, Alice! Foo App Malicious Client App Client Foo App Server evans@virginia.edu Engineering Crypto Applications 59
  • Credential Leakage Vulnerability OAuth Credentials evans@virginia.edu Engineering Crypto Applications 60
  • How Common Are These Vulnerabilities? evans@virginia.edu Engineering Crypto Applications 61
  • Simulating Users evans@virginia.edu Engineering Crypto Applications 62
  • Enrolling Test Accounts evans@virginia.edu Engineering Crypto Applications 63
  • Oracle Automatically test if site is vulnerable by looking at visual clues and traffic. evans@virginia.edu Engineering Crypto Applications 64
  • Dataset Test the top-ranked 20,000 websites (from quantcast.com) for 5 vulnerabilites 3 machines for 3 days evans@virginia.edu Engineering Crypto Applications google.com youtube.com facebook.com msn.com amazon.com twitter.com ebay.com pinterest.com yahoo.com bing.com microsoft.com … 65
  • 45% 1700 of top-20000 sites use Facebook SSO % supporting FB SSO 40% 35% 30% 25% 20% 15% 10% 5% 0% Top-Ranked Sites evans@virginia.edu Site rank percentile (20K) Engineering Crypto Applications 20,000th-ranked site 66
  • 20% 50 sites Percent of Sites Vulnerable 30% 10% 20% of sites (in top 20,000) that integrate Facebook SSO have at least one serious vulnerability detected by SSOScan 0% 20,000th-ranked site Top-Ranked Sites evans@virginia.edu Engineering Crypto Applications 67
  • Responses from Sites 20 vendors contacted normally 12: no response 6: auto-generated response 2: manual responses 0: fixed evans@virginia.edu Engineering Crypto Applications 68
  • ssoscan.org evans@virginia.edu Engineering Crypto Applications 69
  • Next Friday’s Talk! Rice Hall 85 Engineer’s Way University of Virginia Charlottesville, Va evans@virginia.edu Engineering Crypto Applications 70
  • Home of Famous Cryptographer! evans@virginia.edu Engineering Crypto Applications 71
  • evans@virginia.edu MightBeEvil.com/crypto evans@virginia.edu Engineering Crypto Applications 72
  • evans@virginia.edu Engineering Crypto Applications 73
  • evans@virginia.edu Engineering Crypto Applications 74